There's only one service on our network that I would like to implement traffic shaping for: the nightly backup via rsync/ssh to a remote server on the WAN. Since the traffic is encrypted, deep packet inspection is impossible, but I can use any port I want to isolate that particular backup.

Let's say if I do the backup on port 12345. Since I don't want the backup to affect network performance, I would like traffic on port 12345 from LAN to WAN to be lower priority than anything else going out to the WAN.

Yes. You simply add a rule for the traffic destined for port 12345 to be set to the lower priority queue. To further isolate, you might want to restrict the source to the server(s) initiating the outbound SSH/ RSYNC connection.

(1) This is for traffic going from LAN to WAN, so would I establish a traffic shaper for the LAN interface or for the WAN interface?(2) The options the wizard gives me are: Single LAN/Multi WAN, Single WAN/Multi LAN, Multiple LAN/WAN, and Dedicated Links. I have Single LAN/Single WAN, which isn't listed. Which choice is appropriate?(3) I have the choice to "Enable/disable discipline and its children." I can't find in the documentation what that means.(4) I can choose HFSC, PRIQ, CBQ, or FAIRQ. PRIQ is described in the documentation, and seems to be what I want. No other choices are described.

Other choices seem to be set up so that I can assign a bandwidth limit to each queue. I don't want to limit the bandwidth. I just want traffic on port 12345 to be lower priority than anything else.

(1) This is for traffic going from LAN to WAN, so would I establish a traffic shaper for the LAN interface or for the WAN interface?(2) The options the wizard gives me are: Single LAN/Multi WAN, Single WAN/Multi LAN, Multiple LAN/WAN, and Dedicated Links. I have Single LAN/Single WAN, which isn't listed. Which choice is appropriate?(3) I have the choice to "Enable/disable discipline and its children." I can't find in the documentation what that means.(4) I can choose HFSC, PRIQ, CBQ, or FAIRQ. PRIQ is described in the documentation, and seems to be what I want. No other choices are described.

Other choices seem to be set up so that I can assign a bandwidth limit to each queue. I don't want to limit the bandwidth. I just want traffic on port 12345 to be lower priority than anything else.

Is there anywhere that this process is described in more detail?

1) On older pfSense 2.0 builds, you set a floating rule without selecting interface OR a rule on the LAN tab. On the newer RC1 builds (you can select Queue as the action), you will want 2 rules, one for the LAN tab and one floating. There are certain issues with matching the traffic both ways and I've found that setting 2 rules, one in floating, one in LAN, will help match the traffic both ways.

2) Choose Single LAN, Multi-WAN. Enter 1 for number of WAN connections when prompted.

3) Use the traffic shaper wizard and ignore that for now.

4) You want PRIQ, this can be set in the traffic shaper wizard. Follow the wizard through, don't select VOIP prioritising unless you have such traffic. For the applications page, select a random application (say HTTP) and set to lower priority.

After you're done with the wizard, head to Firewall -> Rules -> Floating. You will see a rule for HTTP, go ahead and delete the rule. We just needed it so that the shaper will create the lower priority queue for you. Now, head to LAN tab. Add a rule by clicking the '+' Sign at the top right corner.For protocol, set the appropriate protocol (TCP or UDP) for the RSYNC or SSH service.For source, you can select 'Single Host', enter the LAN IP of the server making the outbound connection.For destination, select Any and the port as the port on your destination server (12345 in the example you gave).Scroll down to Queues then select qAck/ qOtherLow for the queues.Click save.

You will be brought to the Rules page again. This time, head to the LAN tab and find the rule you just created. Click the '+' sign beside the rule to duplicate it. Follow the above but set the protocol and destination port as per the 2nd rule you need (SSH if the first rule was Rsync, vice versa). Click save.

Now head to Floating rules, add a new rule. For Action, select 'Queue'. Protocol as per above. Do not select direction and do not select the interface. Just select the destination port and set the queues below and save. Again, duplicate as with the LAN rules.

Your step-by-step procedure worked like a charm. The only thing I modified is that I only set it up for one port, since my understanding is that the command ' rsync -e "ssh -p 12345" ' only uses port 12345. No other ports are used, to the best of my knowledge.

Just a quick followup:Following dreamslacker's procedure, I allocated port 12345 traffic to a lower priority queue. Nothing else is prioritized.

My firewall is an ancient Pentium III 1GHz computer with 512MB of memory (I chose it because it was a lot faster than my Commodore 64 :-)).

Now, when I do a bandwidth test with no other network activity, it maxes out at about 30Mbits. Before I implemented the traffic shaping, it maxed out at 60-70 Mbits. During the test, CPU load on the firewall remains low (0.2-0.3).

Is my Pentium III/1Ghz too slow, or is it possible that traffic that isn't assigned to a queue only gets 1/2 the available WAN bandwidth?

re0 is a Trendnet TEG-PCITXR Gigabit PCI card (Realtek RLT8169 chipset)I'm not positive about the hardware for sk0; I believe is a D-Link DGE-530T (also a gigabit card).sk0 is the WAN interface. re0 is the LAN interface.

I'm not 100% sure this is hardware related. It seems suspicious to me that the maximum bandwidth drops by precisely 50% when I implement traffic shaping. Could it be that something is dividing the bandwidth in 2 and allocating half to most of my traffic?

Also, have you tweaked the Queue limits? You probably want to raise the Queue limits and play with the TBR size a little.

I just recreated the queues based on your instructions again, and ran the test, and it works fine now. The WAN interface can get full speed. It is possible I was dealing with a temporary problem with the ISP or I had somehow misconfigured the queues. In any case, when I ran through the wizard again, it created the following 4 queues. Traffic not assigned to the qACK/qOthersLow queue can get full bandwidth utilization.

hi everyone. i'm trying to understant what does " the httpvideo " or the "httpaudio" protocols means or how do pfsense work with so that the traffic shapper can lower the video downloads on web pages or the audio download etc.

i'm working on a project about l7 filtring and i choosed pfsense to demonstrate and explain l7 filtring. i work on pfsense 2.0 RC1 on virtuals machine on vm ware and i need to shape traffic beetween lan interface and wan interface.

anw, that's why i want to understand how do httpvideo in 'l7' section into the trafic shapper works.